93% website apps vulnerable after 'fixing'.Nebulas Security have announced the results of further research from its partner Impervals Application Defence Centre report, 'How safe is it out there' Based on a four-year study into the vulnerability of public and private web applications, a key section of the report asserts that periodic Penetration testing A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, alone is not an effective means of reducing risks associated with web-enabled applications. Analysis of penetration retest re·test tr.v. re·test·ed, re·test·ing, re·tests To test again. n. A second or repeated test. data shows that despite periodic penetration testing and subsequent 'fixes' the inherent risk to an application does not decrease, but remains constant and may even increase over time. The retests conducted by Imperva's Application Defence Centre (ADC (1) See A/D converter. (2) (Apple Display Connector) A peripheral connector from Apple that combines digital video display, USB and power in one cable. ) revealed that 'high' or 'critical' vulnerabilities in applications actually increased Application Defence Centre (ADC) revealed that 'high' or 'critical' vulnerabilities in applications actually increased from 89% to 93% after first time tests. In more than 500% of the retests, completely new categories of vulnerabilities appeared. The report offers multiple explanations for these findings: * After penetration testing developers did not fix the identified vulnerabilities either because they did not know how to fix them, or because they ignored the results of the test. * Developers introduced new vulnerabilities during the time between tests--either as part of the normal evolution of the website, or as part of an attempt to fix vulnerabilities identified during the penetration test. * With additional time and the experience of the first test, the penetration testing team was able to find additional vulnerabilities that existed but were undetected during the first test. Comment: Secunty-minded software development and diligent dil·i·gent adj. Marked by persevering, painstaking effort. See Synonyms at busy. [Middle English, from Old French, from Latin d testing of applications are necessary components to address compounding application vulnerabilities. However, to actually improve security over time, organisations need to deploy application security solutions end continue to use penetration testing to measure their efforts. Application-level attacks on the rise Application-level vulnerabilities leave the door open to costly external web attacks, internal database breaches and worms Worms (vôrms), city (1994 pop. 79,155), Rhineland-Palatinate, SW Germany, on the Rhine River. It is an industrial city and a leading wine trade center. . Comment: "Application-level security threats continue to rise steadily in terms of volume and impact" said META One definition of this Greek word is transcending, or going above and beyond. In the computer field, it defines things that embrace more than the usual. For example, a metafile contains all types of data. Meta-data describes other data. See metafile, metadata and meta tag. 1. Group provider of information technology research, advisory services advisory services advisory services provided to the public, in their capacity as owners and managers of animals, are an important part of veterinary science. They may be provided by government bureaux, by commercial companies who deal in pharmaceuticals or animals or animal , end strategic consulting. "Relying solely on software vendors to fix related vulnerabilities is a flawed flaw 1 n. 1. An imperfection, often concealed, that impairs soundness: a flaw in the crystal that caused it to shatter. See Synonyms at blemish. 2. strategy, particularly as the time the bad guys take to develop their attacks is clearly shrinking. The result is the need for controls that provide protection not only at the application layer, but also on a continuous, always-on basis." The study detailed in this report, which ran from 2000-2003, summarises the analysis of over 300 application penetration tests of public and private sector web applications. This resulting white paper provides unique insights into the frequency, types, risk and consequences of vulnerabilities that exist across the test group of financial, government, telecommunications Communicating information, including data, text, pictures, voice and video over long distance. See communications. and information technology organisations. The report can be downloaded from: http://www.imperva.com/application_defensecenter /papgrs/how_safe_is_it.html |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion